Skip to content
Ransomware group

Abyss

Abyss is ransomware observed in a small number of incidents affecting industrial organizations.

Profile source: Mallory opens in a new tab

Abyss

Family profile

Abyss is ransomware observed in a small number of incidents affecting industrial organizations. Dragos listed Abyss among minimal-activity groups in 2025, with one reported industrial incident in the cited reporting period. High-confidence reporting also links Abyss-related intrusions to compromises of SonicWall SMA appliances. Google Threat Intelligence Group identified noteworthy overlaps between activity by UNC6148 on end-of-life SonicWall SMA 100 devices and Abyss-related ransomware incidents. In late 2023, Truesec investigated an Abyss ransomware incident in which attackers installed a web shell on an SMA appliance, and the web shell reportedly maintained persistence despite firmware updates. In March 2024, incident response reporting from InfoGuard AG described a similar SMA device compromise that also resulted in deployment of Abyss malware. Based on the cited content, Abyss has been associated with persistence on compromised edge appliances, particularly SonicWall SMA devices, and deployment following appliance compromise. The content does not provide further confirmed technical details on Abyss encryption behavior, ransom workflow, specific victimology beyond industrial-sector reporting, or distinct indicators of compromise.

Ransomware.live

Operational record

View group record ↗

Reporting

Research mentioning Abyss

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.